Five Questions to Ask Before Your Next Healthcare Data Breach
|
|
- Kerry Aleesha Day
- 8 years ago
- Views:
Transcription
1 Five Questions to Ask Before Your Next Healthcare Data Breach Dorothy DeAngelis Health Solutions Peter Kerr Managing Director Strategic Communications Thomas G.A. Brown Global Risk & Investigations Practice Forensic & Litigation Consulting
2 In the summer of 2014, executives at a leading national insurance firm worked with to create an action and response plan in the event of a major data breach. The plan s guiding principles were clear: Evaluate the impact of the incident. Engage corporate leadership according to the risk level involved. Reassure customers and resolve any impacts without regard to short-term costs. Prepare communications that would enable the company to convey key messages through every available channel, from call center teams to third-party partners to the public. The plan also developed categories for the severity of any data breach and standardized ways to report incidents and document the company s subsequent actions. In other words, the plan laid out what to do when and who decides what for a range of events and actions, including informing the board and government agencies, as well as engaging third-party investigators and credit monitoring services. And the action and response plan put in place simulation exercises to prepare for a potential crisis. Notably, this company, which has a significant footprint in the healthcare market, has not yet suffered a data breach. But given today s environment, it is not unreasonable to plan for one. In fact, it would be unreasonable not to do so. In early February 2015, Anthem, one of America s largest health insurers, revealed that it had been attacked, with the personal information of some 80 million people exposed. This made it the biggest healthcare data breach in history. At the time of this writing, the hackers had yet to be identified definitively, but individuals somewhere had gained access to Anthem policyholders medical identification and Social Security numbers, mailing addresses and addresses. One danger (among others) is that this information could be used by hackers to perpetrate a variety of frauds. Reportedly, phishing attacks were launched immediately by the hackers, trying to get policyholders to sign up for fake data protection services and provide even more personal information. The information that hackers and criminals can retrieve by breaching healthcare organizations is considered more valuable than the mere credit card numbers collected in breaches of retail operations. Medical records command much higher prices on the black market than do credit card numbers. It s easy to cancel a credit card number, and the market is glutted thanks to incidents such as the December 2013 Target breach that compromised more than 40 million customers or the later Home Depot hack that exposed customer s and over 56 million credit card accounts. Medical records, however, contain Social Security numbers and even physical descriptions that criminals can use to hijack identities, file fraudulent insurance claims, and create all sorts of profitable havoc for themselves while causing great financial damage to individuals and institutions. All this should be viewed as a flashing red warning light to healthcare organizations. According to a Ponemon Institute study, the cost of a data breach to healthcare organizations in 2014 was far higher than in any other sector of the economy ($359 per capita in the healthcare sector compared with $206 in financial services companies and $155 in consumer products organizations). In addition, more than ever before, the federal government is casting a sharp eye on the data privacy practices of healthcare organizations. The Office for Civil Rights sent a strong message last year to healthcare organizations by increasing its enforcement efforts and identifying 1,200 potential candidates for audits. This includes 800 entities covered by the Health Insurance Portability and Accountability Act ( HIPAA ) and the Health Information Technology for Economic and Clinical 2
3 Health ( HITECH ) Act, as well as 400 business associates. Since September 2009, there have been in excess of 1,000 breaches involving 500 or more entities in healthcare in the United States, with 34 breaches identified in June 2014 alone. Some recent post-breach settlements with the federal government involved NewYork-Presbyterian Hospital/Columbia University Medical Center, which paid $3.3 million in fines, and Columbia University, which settled its case for $1.5 million. In this environment, it makes sense to have an incident response and crisis management plan in place, both as a way to prevent breaches and to mitigate their cost. Of course, not all breach prevention measures are created equal. Target s and Home Depot s defenses turned out to be inadequate, which subjected those companies to severe public criticism. So how should compliance officers, information technology executives, Legal Departments and others charged with overseeing a healthcare organization s data security begin to assess how vulnerable an organization is, how it can maximize data protection and how it can reduce the cost of a breach when one occurs? What follows are five overarching questions that an officer in an organization should be asking in this age of data breaches. Do you know where your data are? A critical component of data and information governance is enterprise data awareness; that is, knowing what data are where and if the most important data are in a secure place. Possessing data awareness means having a complete view of enterprise data sources. The sites most likely to be affected by a breach include unstructured areas such as , loose files on local drives or networks and files undergoing transfer. Venues also can include structured areas such as enterprise-wide systems. Data often exist simultaneously in multiple locations and in duplicate formats, some more secure than others. A crucial step in breach prevention is the creation of an enterprise data map. This particularly is important since identifying target information after a breach often isn t feasible. One effective initial step is to leverage current projects such as post-system migration or other data footprint-related programs to identify data repositories and understand their nature. Keep in mind that a significant number of key data sources can be found offline or outside the native source system. And remember: Just because key systems are protected does not mean the same information cannot exist elsewhere in the enterprise. Another part of data awareness is monitoring the data entering and leaving an organization. A vital component to the security of data in healthcare systems is encryption protocols for the transmission of protected health information ( PHI ) to and from external vendors. The administration of business associate agreements and the oversight of the data security protocols of vendors and other external parties should be aggressive and continuous. For example, a major HIPAA-related crisis can be precipitated if a 1099 medical coder working for a subcontractor has his car broken into when medical records are laying on the front seat. In fact, monitoring the movement of sensitive data outside an organization is one of the most important elements of an effective data protection program. Are your cyberdefenses adequate? In light of the ever-evolving cyber threat environment and the consequences of a data breach companies need to take a comprehensive approach to protecting the information they hold. The cyber threat is multi-varied: Not only must businesses defend against external, technical threats such as hackers who seek to penetrate computer networks and steal or corrupt data through sophisticated cyberattacks, but organizations must pay equal attention to insider, non-technical threats as well. These latter categories can range from disgruntled employees who abuse their access to data to company personnel who innocently introduce malicious code into an enterprise s network through handling low-tech vectors such as infected thumb drives or by clicking links in spam or phishing s. There are a number of questions and factors companies should consider in developing a comprehensive information security plan. First, has a cyber risk assessment been conducted? In this respect, businesses not only should identify and assess risks to their own network but also risks associated with any third-party vendors with whom data are stored or shared an important consideration given that many companies outsource large data storage and backup tasks to outside contractors or share information with joint venture partners. Second, has a cyber incident plan been developed? Rather than respond in an ad hoc fashion under pressure during a crisis, businesses will be better off if they take the time now to plan a coordinated response to a data breach. This includes deciding how evidence will be collected in a forensically sound manner, how information will be shared internally and externally with law enforcement and regulators, and how the computer network s integrity will be restored. Pre-planning cuts down on confusion and loss of critical information and puts leadership in the best position to respond efficiently. Finally, companies should commit to reviewing and updating their information security plan regularly. Periodic reviews are necessary to account for changes in a company s network as a result of normal operations including the acquisition of new businesses and their computer networks and to keep up with the evolving threat landscape. 3
4 Are you compliant with HIPAA and HITECH? HIPAA and HITECH set the standards for the security of electronic PHI and promote the adoption and meaningful use of health information technology. HIPAA and HITECH were designed to protect the confidentiality and security of individual PHI possessed by those entities covered by the laws. This includes health plans, hospital systems and various business associates. To stay compliant, healthcare organizations must continually monitor and adapt their policies and procedures, as well as provide training and education. Too often, an organization learns how compliant it is only after a breach takes place. This is because answering the question before a breach occurs requires meticulous and time-consuming work. For example, organizations should be evaluating their current structure and policies continuously to ensure compliance with the latest privacy and security standards. This includes a review of all policies and procedures, auditing and monitoring reports, training materials and relevant business associate agreements. The organization or an outside vendor should regularly conduct onsite interviews and security walkthroughs to assess the existing processes and controls in order to determine the company s operational compliance with HIPAA and HITECH. Do you have a crisis communications plan? The 2014 Ponemon Institute study found that what hits an enterprise s bottom line hardest after a data breach is the loss of customer loyalty. After a breach, companies find they must spend heavily to restore their brand s image, retain old customers and acquire new ones. In most cases, HIPAA requires public notification of data breaches within 60 days of the incident, including publishing a notification in the media. Plus states have their own deadlines. But, sometimes, a healthcare organization may want to notify patients, customers or members sooner than the law requires. Or, in the case of some smaller breaches, an organization may decide to pursue a low-profile strategy of minimal notification and publicity. The course taken depends on the scope of the breach, as well as myriad other factors. But one thing experts agree upon is that an organization should have a plan in place for notifying select leaders in the company immediately and for communicating the breach to the outside world. As some organizations have learned, failure to notify and deal with publicity around a breach can result in a significant loss of public trust and consequent damage to an enterprise s reputation and brand. Here are some best practices that can help ensure that a company is fully prepared to effectively manage a data breach incident: Establish and maintain a communications infrastructure: It is essential that a company build a response team that can mobilize swiftly in the event of a breach to manage and coordinate the organization s overall response efforts. This team should consist of key decision makers, including executive leaders, as well as representatives from information technology and security, public relations, customer service, human resources and the Legal Department. Every member of the data breach response team should understand one s specific role and duties. Employees should be provided with the necessary resources and training to ensure that they are prepared to successfully discharge their responsibilities. Establish a structure of internal reporting: A streamlined cybersecurity reporting regimen is necessary to expedite engagement with the data breach response team and prompt key business, operational and communications decisions. A company should have a defined process for reporting a breach once one has been detected, ensuring that all pertinent parties are notified of the situation quickly, as appropriate. Understand how to properly evaluate the breach: A company s ability to accurately identify the level of threat it faces enhances its ability to implement the required level of response. If the assessment is conducted properly, the likelihood increases that the company will get its response right. For example, not all breaches require notification according to HIPAA; therefore, it is essential that a healthcare company recognize what constitutes a serious breach, as well as situations that require notification to affected individuals, the media, and the Secretary of Health and Human Services. Prepare draft communications: Responding speedily and transparently to a data breach demonstrates that a company acknowledges the circumstances and is working to rectify the problem, as well as helping to mitigate the damage of rumors. To ensure a quick response, a company should have on hand communications materials that have been reviewed and approved by executive leaders and the Legal Department (or outside counsel). When a breach occurs, the company easily can adjust the language to the event. Minimum communications include a standby statement, a news release and a notification letter. Determine a system for handling a notification: Mishandling a notification can lead to fines and other unbudgeted expenses, as well as negatively affect brand reputation and customer loyalty. There generally is little time to verify addresses and to print and mail a notification letter after a breach or to set up a call center and other services for affected stakeholders. Therefore, in most cases, a company should identify and select a vendor in advance that has the resources and capabilities to establish a call center and notify thousands, or even millions, of individuals by mail or . Also, the 4
5 company should consider creating a dark website around a breach, which would go live if the real thing happens. Do you have a culture of compliance? Beyond establishing policies, procedures and a Code of Conduct, management should make sure that its workforce and business associates clearly understand what the relevant laws, regulations and rules mean on a daily basis. In essence, an organization must develop a culture of compliance to protect patients, customers and members. The once-ayear online tutorials and quizzes that many companies have put in place as good as these tools may be do not, by themselves, create a culture of compliance. In the best cases, this type of culture grows out of the commitment of top leadership and an extensive compliance communications program. Such a program should include several distinct steps: Translate compliance language into conversational language: Convert the dry material of compliance into a memorable, or even enjoyable, narrative while making it crystal clear why this is critical to the enterprise and to its employees and business associates. Determine the current state of compliance culture: Use surveys, focus groups, interviews with executives, and reviews of data and materials to establish a benchmark of employee knowledge, attitudes and values. Findings should be compared with best practices inside one s industry and in other industries. Program development: Identify channels that are available for communicating with the organization s workforce and business associates, refreshing those vehicles that have not been used in the recent past and devising new ones. At this point, it is important to develop a communications strategy and engage the company s top leadership in the program. Execute a 360-degree compliance communications program: Start by establishing roles for top management so it can publicly demonstrate its commitment to compliance. Follow this by the training of supervisors so that the information cascades throughout the organization through face-to-face meetings, town halls, s, websites, apps, posters, contests, awards and other channels. Measure and repeat: Measure and re-measure knowledge, attitudes and beliefs; publicize progress and gaps that must be addressed; readjust and realign the program to make it more effective. Being compliant with HIPAA, HITECH and other laws and regulations is necessary but not, in itself, sufficient to address all the issues that grow out of a data breach. As Anjanettte H. Raymond, professor at Indiana University, has written that, in most instances, existing laws did not foresee the massive amounts of data that would be collected across environments, and few laws envisioned data collection from a global perspective. In addition, even if businesses collect information in a legally compliant manner, consumers, including healthcare patients, are growing uneasy about the use and widespread distribution of their personal information. As Raymond says, While it may seem easier and less costly to sit back and wait for trends to become full-fledged law, customers no longer will wait for these protections and will find it increasingly difficult to understand the apathy of business toward data protection. Peter Kerr Managing Director Strategic Communications Peter.Kerr@fticonsulting.com Dorothy DeAngelis Health Solutions Dorothy.DeAngelis@fticonsulting.com Thomas G.A. Brown Global Risk & Investigations Practice Forensic & Litigation Consulting Tom.Brown@fticonsulting.com For more information and an online version of this article, visit ftijournal.com. The views expressed in this article are those of the authors and not necessarily those of, Inc. or its other professionals. 2015, Inc. All rights reserved. 5
Lessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd
Lessons Learned from Recent HIPAA and Big Data Breaches Briar Andresen Katie Ilten Ann Ladd Recent health care breaches Breach reports to OCR as of February 2015 1,144 breaches involving 500 or more individual
More informationMedical Information Breaches: Are Your Records Safe?
Medical Information Breaches: Are Your Records Safe? Learning Objectives At the conclusion of this presentation the learner will be able to: Recognize the growing risk of data breaches Assess the potential
More informationPCI Compliance for Healthcare
PCI Compliance for Healthcare Best practices for securing payment card data In just five years, criminal attacks on healthcare organizations are up by a stunning 125%. 1 Why are these data breaches happening?
More informationWHITE PAPER KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST PROTECTING THE PROTECTOR
KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST Protecting Identities. Enhancing Reputations. IDT911 1 DATA BREACHES AND SUBSEQUENT IDENTITY THEFT AND FRAUD THREATEN YOUR ORGANIZATION
More informationTen Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder
Ten Questions Your Board Should be asking about Cyber Security Eric M. Wright, Shareholder Eric Wright, CPA, CITP Started my career with Schneider Downs in 1983. Responsible for all IT audit and system
More informationCYBER & PRIVACY INSURANCE FOR FINANCIAL INSTITUTIONS
CYBER & PRIVACY INSURANCE FOR FINANCIAL INSTITUTIONS 1 As regulators around the world move to tighten compliance requirements for financial institutions, improvement in cyber security controls will become
More informationData Breach and Senior Living Communities May 29, 2015
Data Breach and Senior Living Communities May 29, 2015 Todays Objectives: 1. Discuss Current Data Breach Trends & Issues 2. Understanding Why The Senior Living Industry May Be A Target 3. Data Breach Costs
More informationHow To Find Out What People Think About Hipaa Compliance
Healthcare providers attitudes towards HIPAA compliance in 2015 Created July, 27 2015 Healthcare providers attitudes towards HIPAA compliance in 2015 Over the course of this last year the healthcare industry
More informationSecurity Is Everyone s Concern:
Security Is Everyone s Concern: What a Practice Needs to Know About ephi Security Mert Gambito Hawaii HIE Compliance and Privacy Officer July 26, 2014 E Komo Mai! This session s presenter is Mert Gambito
More informationData Breach Cost. Risks, costs and mitigation strategies for data breaches
Data Breach Cost Risks, costs and mitigation strategies for data breaches Tim Stapleton, CIPP/US Deputy Global Head of Professional Liability Zurich General Insurance Data Breaches: Greater frequency,
More informationCYBER SECURITY SPECIALREPORT
CYBER SECURITY SPECIALREPORT 32 The RMA Journal February 2015 Copyright 2015 by RMA INSURANCE IS AN IMPORTANT TOOL IN CYBER RISK MITIGATION Shutterstock, Inc. The time to prepare for a potential cyber
More informationCybersecurity y Managing g the Risks
Cybersecurity y Managing g the Risks Presented by: Steven L. Caponi Jennifer Daniels Gregory F. Linsin 99 Cybersecurity The Risks Are Real Perpetrators are as varied as their goals Organized Crime: seeking
More informationWho s next after TalkTalk?
Who s next after TalkTalk? Frequently Asked Questions on Cyber Risk Fraud threat to millions of TalkTalk customers TalkTalk cyber-attack: website hit by significant breach These are just two of the many
More informationNetwork Security & Privacy Landscape
Network Security & Privacy Landscape Presented By: Greg Garijanian Senior Underwriter Professional Liability 1 Agenda Network Security Overview -Latest Threats - Exposure Trends - Regulations Case Studies
More informationPrivacy Liability & Data Breach Management Nikos Georgopoulos Cyber Risks Advisor cyrm October 2014
Privacy Liability & Data Breach Management Nikos Georgopoulos Cyber Risks Advisor cyrm October 2014 Nikos Georgopoulos Privacy Liability & Data Breach Management wwww.privacyrisksadvisors.com October 2014
More informationCybersecurity Workshop
Cybersecurity Workshop February 10, 2015 E. Andrew Keeney, Esq. Kaufman & Canoles, P.C. E. Andrew Keeney, Esq. Kaufman & Canoles, P.C. 150 West Main Street, Suite 2100 Norfolk, VA 23510 (757) 624-3153
More informationRemarks by Thomas J. Curry Comptroller of the Currency Before the New England Council Boston, Massachusetts May 16, 2014
Remarks by Thomas J. Curry Comptroller of the Currency Before the New England Council Boston, Massachusetts May 16, 2014 It s a pleasure to be with you back home in Boston. I was here just six weeks ago
More informationCybersecurity Best Practices in Mortgage Banking. Article by Jim Deitch October 2015
Cybersecurity Best Practices in Mortgage Banking Article by Jim Deitch Cybersecurity Best Practices in Mortgage Banking BY JIM DEITCH Jim Deitch Recent high-profile cyberattacks have clearly demonstrated
More informationCYBERSECURITY IN HEALTHCARE: A TIME TO ACT
share: TM CYBERSECURITY IN HEALTHCARE: A TIME TO ACT Why healthcare is especially vulnerable to cyberattacks, and how it can protect data and mitigate risk At a time of well-publicized incidents of cybersecurity
More informationDATA BREACH RESPONSE READINESS Is Your Organization Prepared?
March 30, 2015 DATA BREACH RESPONSE READINESS Is Your Organization Prepared? Peter Sloan Pete Enko Jeff Jensen Deborah Juhnke The data security imperatives of Prevention, Detection, and Response do not
More informationSMB Data Breach Risk Management Best Practices. By Mark Pribish February 19, 2015
SMB Data Breach Risk Management Best Practices By Mark Pribish February 19, 2015 Presentation Agenda About Mark Pribish Information Governance The Threat Landscape Data Breach Trends Legislative and Regulatory
More informationNATIONAL CYBER SECURITY AWARENESS MONTH
NATIONAL CYBER SECURITY AWARENESS MONTH Tip 1: Security is everyone s responsibility. Develop an awareness framework that challenges, educates and empowers your customers and employees to be part of the
More informationMitigating and managing cyber risk: ten issues to consider
Mitigating and managing cyber risk: ten issues to consider The board of directors is responsible for managing and mitigating risk exposure. A recent study conducted by the Ponemon Institute 1 revealed
More informationBeyond Data Breach: Cyber Trends and Exposures
Beyond Data Breach: Cyber Trends and Exposures Vietnam 7 th May 2015 Jason Kelly Head of Asia Financial Lines AIG Agenda Why do companies need cyber protection Example of Cyber attack worldwide and in
More informationNew York State Department of Financial Services. Report on Cyber Security in the Insurance Sector
New York State Department of Financial Services Report on Cyber Security in the Insurance Sector February 2015 Report on Cyber Security in the Insurance Sector I. Introduction Cyber attacks against financial
More informationImplementing Electronic Medical Records (EMR): Mitigate Security Risks and Create Peace of Mind
Page1 Implementing Electronic Medical Records (EMR): Mitigate Security Risks and Create Peace of Mind The use of electronic medical records (EMRs) to maintain patient information is encouraged today and
More informationGALLAGHER CYBER LIABILITY PRACTICE. Tailored Solutions for Cyber Liability and Professional Liability
GALLAGHER CYBER LIABILITY PRACTICE Tailored Solutions for Cyber Liability and Professional Liability Are you exposed to cyber risk? Like nearly every other business, you have probably capitalized on the
More informationHeather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com
Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually
More informationHealth Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know
Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know Note: Information provided to NCRA by Melodi Gates, Associate with Patton Boggs, LLC Privacy and data protection
More informationBest Practices for a Healthcare Data Breach: What You Don t Know Will Cost You
Best Practices for a Healthcare Data Breach: What You Don t Know Will Cost You By: Emilio Cividanes, Venable LLP Partner and Co-Chair Regulatory Practice Group Paul Luehr, Stroz Friedberg Managing Director
More informationCyber Security Protecting critical health care information
OnTrend APRIL 2016 ISSUE Cyber Security Protecting critical health care information The trend Cyber Security As health care data security breaches proliferate, putting members data at risk for fraud or
More informationVENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium
1 VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium 2 Agenda Introduction Vendor Management what is? Available Guidance Vendor Management
More informationKEY STEPS FOLLOWING A DATA BREACH
KEY STEPS FOLLOWING A DATA BREACH Introduction This document provides key recommended steps to be taken following the discovery of a data breach. The document does not constitute an exhaustive guideline,
More informationOCR s Anatomy: HIPAA Breaches, Investigations, and Enforcement
OCR s Anatomy: HIPAA Breaches, Investigations, and Enforcement Clinton Mikel The Health Law Partners, P.C. Alessandra Swanson U.S. Department of Health and Human Services - Office for Civil Rights Disclosure
More informationRemarks by. Thomas J. Curry. Comptroller of the Currency. Before the. Chicago. November 7, 2014
Remarks by Thomas J. Curry Comptroller of the Currency Before the 10 th Annual Community Bankers Symposium Chicago November 7, 2014 Good morning, it s a pleasure to be here today and to have this opportunity
More informationSINGAPORE HEALTHCARE ENTERPRISE RISK MANAGEMENT CONGRESS 2014 - Data Breach : The Emerging Threat to Healthcare Industry
SINGAPORE HEALTHCARE ENTERPRISE RISK MANAGEMENT CONGRESS 2014 - Data Breach : The Emerging Threat to Healthcare Industry DATA BREACH A FICTIONAL CASE STUDY THE FIRST SIGNS OF TROUBLE Friday, 5.20 pm :
More informationHealth Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)
Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Table of Contents Introduction... 1 1. Administrative Safeguards...
More informationAftermath of a Data Breach Study
Aftermath of a Data Breach Study Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication Date: January 2012 Ponemon Institute Research Report Aftermath
More informationTrust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits
HIPAA Breaches, Security Risk Analysis, and Audits Derrick Hill Senior Health IT Advisor Kentucky REC Why Does Privacy and Security Matter? Trust Who Must Comply with HIPAA Rules? Covered Entities (CE)
More information2016 OCR AUDIT E-BOOK
!! 2016 OCR AUDIT E-BOOK About BlueOrange Compliance: We specialize in healthcare information privacy and security solutions. We understand that each organization is busy running its business and that
More information2015 PIAA Corporate Counsel Workshop October 22 23, 2015 Considerations in Cyber Liability Coverage
2015 PIAA Corporate Counsel Workshop October 22 23, 2015 Considerations in Cyber Liability Coverage Chris Reese Vice President, Director of Underwriting Connie Rivas Asst. Vice President, Contracts and
More informationData Security Breaches: Learn more about two new regulations and how to help reduce your risks
Data Security Breaches: Learn more about two new regulations and how to help reduce your risks By Susan Salpeter, Vice President, Zurich Healthcare Risk Management News stories about data security breaches
More informationCOMPLIANCE ALERT 10-12
HAWAII HEALTH SYSTEMS C O R P O R A T I O N "Touching Lives Every Day COMPLIANCE ALERT 10-12 HIPAA Expansion under the American Recovery and Reinvestment Act of 2009 The American Recovery and Reinvestment
More information7 Steps to Protect Your Company from a Data Breach
7 Steps to Protect Your Company from a Data Breach August 11, 2015 Michael Pinna and Stuart Nussbaum Millions of government personnel files were recently compromised as part of a malicious hacking of the
More informationDelaware Cyber Security Workshop September 29, 2015. William R. Denny, Esquire Potter Anderson & Corroon LLP
Changing Legal Landscape in Cybersecurity: Implications for Business Delaware Cyber Security Workshop September 29, 2015 William R. Denny, Esquire Potter Anderson & Corroon LLP Agenda Growing Cyber Threats
More informationTOP 10 Security Questions Introduction Breaches and other privacy and security incidents in healthcare are on the rise due to the vast size of the industry and the oneoffs of protected health information
More informationCyber Risks Management. Nikos Georgopoulos, MBA, cyrm Cyber Risks Advisor
Cyber Risks Management Nikos Georgopoulos, MBA, cyrm Cyber Risks Advisor 1 Contents Corporate Assets Data Breach Costs Time from Earliest Evidence of Compromise to Discovery of Compromise The Data Protection
More informationRLI PROFESSIONAL SERVICES GROUP PROFESSIONAL LEARNING EVENT PSGLE 123. Cybersecurity: A Growing Concern for Small Businesses
RLI PROFESSIONAL SERVICES GROUP PROFESSIONAL LEARNING EVENT PSGLE 123 Cybersecurity: A Growing Concern for Small Businesses Copyright Materials This presentation is protected by US and International Copyright
More informationFACT SHEET: Ransomware and HIPAA
FACT SHEET: Ransomware and HIPAA A recent U.S. Government interagency report indicates that, on average, there have been 4,000 daily ransomware attacks since early 2016 (a 300% increase over the 1,000
More informationDecrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use
Click to edit Master title style Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use Andy Petrovich, MHSA, MPH M-CEITA / Altarum Institute April 8, 2015 4/8/2015 1 1 Who is M-CEITA?
More informationTransforming the Customer Experience When Fraud Attacks
Transforming the Customer Experience When Fraud Attacks About the Presenters Mike Young, VP, Product Team, Everbank Manages consumers and business banking products, as well as online and mobile banking
More information5 Tools For Passing a
5 Tools For Passing a 4530 Plank Rd., Ste. 111, Fredericksburg, VA 22407 3 Health Insurance Portability and Accountability Act 4 Health Information Technology for Economic and Clinical Health Act 4 5 1
More informationArt Gross President & CEO HIPAA Secure Now! How to Prepare for the 2015 HIPAA Audits and Avoid Data Breaches
Art Gross President & CEO HIPAA Secure Now! How to Prepare for the 2015 HIPAA Audits and Avoid Data Breaches Speakers Phillip Long CEO at Business Information Solutions Art Gross President & CEO of HIPAA
More informationState of Security Survey GLOBAL FINDINGS
2011 State of Security Survey GLOBAL FINDINGS CONTENTS Introduction... 4 Methodology... 6 Finding 1: Cybersecurity is important to business... 8 Finding 2: The drivers of security are changing... 10 Finding
More informationBrief. The BakerHostetler Data Security Incident Response Report 2015
Brief The BakerHostetler Data Security Incident Response Report 2015 The rate of disclosures of security incidents in 2015 continues at a pace that caused many to call 2013 and then 2014 the year of the
More informationCyber Risk: Global Warning? by Cinzia Altomare, Gen Re
Cyber Risk: Global Warning? by Cinzia Altomare, Gen Re Global Warning It is a matter of time before there is a major cyber attackon the global financial system and the public needs to invest heavily in
More informationInternet threats: steps to security for your small business
Internet threats: 7 steps to security for your small business Proactive solutions for small businesses A restaurant offers free WiFi to its patrons. The controller of an accounting firm receives a confidential
More informationApplication Security in the Software Development Lifecycle
Application Security in the Software Development Lifecycle Issues, Challenges and Solutions www.quotium.com 1/15 Table of Contents EXECUTIVE SUMMARY... 3 INTRODUCTION... 4 IMPACT OF SECURITY BREACHES TO
More informationData breach, cyber and privacy risks. Brian Wright Lloyd Wright Consultants Ltd
Data breach, cyber and privacy risks Brian Wright Lloyd Wright Consultants Ltd Contents Data definitions and facts Understanding how a breach occurs How insurance can help to manage potential exposures
More informationCybersecurity: A Growing Concern for All Businesses. RLI Design Professionals Design Professionals Learning Event DPLE 160 October 7, 2015
Cybersecurity: A Growing Concern for All Businesses RLI Design Professionals Design Professionals Learning Event DPLE 160 October 7, 2015 RLI Design Professionals is a Registered Provider with The American
More informationRISKY BUSINESS SEMINAR CYBER LIABILITY DISCUSSION
RISKY BUSINESS SEMINAR CYBER LIABILITY DISCUSSION October 23, 2015 THREAT ENVIRONMENT Growing incentive for insiders to abuse access to sensitive data for financial gain Disgruntled current and former
More informationData Security: Risks, Compliance and How to be Prepared for a Breach
Data Security: Risks, Compliance and How to be Prepared for a Breach Presented by: Sandy B. Garfinkel, Esq. The Data Breach Reality: 2015 AshleyMadison.com (July 2015) Member site facilitating personal
More informationAre You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.
Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style March 27, 2013 www.mcguirewoods.com Introductions Holly Carnell McGuireWoods LLP
More informationInto the cybersecurity breach
Into the cybersecurity breach Tim Sanouvong State Sector Cyber Risk Services Deloitte & Touche LLP April 3, 2015 Agenda Setting the stage Cyber risks in state governments Cyber attack vectors Preparing
More informationInsulate Your Company from a Cyber Breach: Proactive Steps to Minimize Breach Risks & Impact. February 10, 2015
Insulate Your Company from a Cyber Breach: Proactive Steps to Minimize Breach Risks & Impact February 10, 2015 Overview 1 The Legal Risks And Issues/The Role Of Legal Counsel: The Breach Coach The Slippery
More informationAnatomy of a Healthcare Data Breach
BUSINESS WHITE PAPER Anatomy of a Healthcare Data Breach Prevention and remediation strategies Anatomy of a Healthcare Data Breach Table of Contents 2 Increased risk 3 Mitigation costs 3 An Industry unprepared
More informationAre your people playing an effective role in your cyber resilience?
Are your people playing an effective role in your cyber resilience? 01 Cyber attacks are now business as usual for organizations around the world. Organizations have typically trusted in technology to
More informationCYBER RISK SECURITY, NETWORK & PRIVACY
CYBER RISK SECURITY, NETWORK & PRIVACY CYBER SECURITY, NETWORK & PRIVACY In the ever-evolving technological landscape in which we live, our lives are dominated by technology. The development and widespread
More informationIs Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution
Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication Date: March 2013 Ponemon Institute Research Report
More informationWRITTEN TESTIMONY OF
WRITTEN TESTIMONY OF KEVIN MANDIA CHIEF EXECUTIVE OFFICER MANDIANT CORPORATION BEFORE THE SUBCOMMITTEE ON CRIME AND TERRORISM JUDICIARY COMMITTEE UNITED STATES SENATE May 8, 2013 Introduction Thank you
More informationThreat Intelligence Pty Ltd info@threatintelligence.com 1300 809 437. Specialist Security Training Catalogue
Threat Intelligence Pty Ltd info@threatintelligence.com 1300 809 437 Specialist Security Training Catalogue Did you know that the faster you detect a security breach, the lesser the impact to the organisation?
More informationAIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE
AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE THE CHALLENGE: SECURE THE OPEN AIR Wirelesss communication lets you take your business wherever your customers,
More informationAIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE
AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE THE CHALLENGE: SECURE THE OPEN AIR Wirelesss communication lets you take your business wherever your customers,
More informationIs Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution
Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication Date: April 2013 Ponemon Institute Research Report
More informationOverview of the HIPAA Security Rule
Office of the Secretary Office for Civil Rights () Overview of the HIPAA Security Rule Office for Civil Rights Region IX Alicia Cornish, EOS Sheila Fischer, Supervisory EOS Topics Upon completion of this
More informationCyber Security Management
Cyber Security Management Focusing on managing your IT Security effectively. By Anthony Goodeill With the news cycles regularly announcing a recurrently theme of targets of hacker attacks and companies
More informationThe Security Rule of The Health Insurance Portability and Accountability Act (HIPAA) Security Training
The Security Rule of The Health Insurance Portability and Accountability Act (HIPAA) Security Training Introduction The HIPAA Security Rule specifically requires training of all members of the workforce.
More informationPanel Title: Data Breaches: Industry and Law Enforcement Perspectives on Best Practices
Panel Title: Data Breaches: Industry and Law Enforcement Perspectives on Best Practices Over the course of this one hour presentation, panelists will cover the following subject areas, providing answers
More information2015 CENTRI Data Breach Report:
INDUSTRY REPORT 2015 CENTRI Data Breach Report: An Analysis of Enterprise Data Breaches & How to Mitigate Their Impact P r o t e c t y o u r d a t a Introduction This industry report attempts to answer
More informationHackers, Slackers & Packers: Preventing Data Loss & Dealing with the Inevitable. Data Breaches Are All Too Common
Hackers, Slackers & Packers: Preventing Data Loss & Dealing with the Inevitable Steven J. Fox (sjfox@postschell.com) Peter D. Hardy (phardy@postschell.com) Robert Brandfass (BrandfassR@wvuh.com) (Mr. Brandfass
More informationWHITE PAPER BREACH, PRIVACY, AND CYBER COVERAGES: FACT AND FICTION CYBER COVERAGES
BREACH, PRIVACY, AND CYBER COVERAGES: FACT AND FICTION IDT911 1 DEFINITIONS 1. Cyber Programs - Focuses on services and systems related to technology and their use in business. Risks addressed include
More informationThe HIPAA Omnibus Final Rule
WHITE PAPER The HIPAA Omnibus Final Rule Four risk exposure events that can uncover compliance issues leading to investigations, potential fines, and damage to your organization s reputation. By Virginia
More information$194 per record lost* 3/15/2013. Global Economic Crime Survey. Data Breach Costs. David Childers, CEO Compli Vivek Krishnamurthy, Foley Hoag LLP
David Childers, CEO Compli Vivek Krishnamurthy, Foley Hoag LLP Global Economic Crime Survey Global Cyber Crime is the fastest growing economic crime Cyber Crime is more lucrative than trafficking drugs!
More informationHIT Audit Workshop. Jeffrey W. Short. jshort@hallrender.com
HIT Audit Workshop Jeffrey W. Short jshort@hallrender.com 1 Audits and Investigations to be Discussed Meaningful Use Audits HIPAA Audits Data Breach Investigations Software Vendor Audits FTC Investigations
More informationData Breach and Cybersecurity: What Happens If You or Your Vendor Is Hacked
Data Breach and Cybersecurity: What Happens If You or Your Vendor Is Hacked Linda Vincent, R.N., P.I., CITRMS Vincent & Associates Founder The Identity Advocate San Pedro, California The opinions expressed
More informationNEW PERSPECTIVES. Professional Fee Coding Audit: The Basics. Learn how to do these invaluable audits page 16
NEW PERSPECTIVES on Healthcare Risk Management, Control and Governance www.ahia.org Journal of the Association of Heathcare Internal Auditors Vol. 32, No. 3, Fall, 2013 Professional Fee Coding Audit: The
More informationHIPAA COMPLIANCE AND DATA PROTECTION. sales@eaglenetworks.it +39 030 201.08.25 Page 1
HIPAA COMPLIANCE AND DATA PROTECTION sales@eaglenetworks.it +39 030 201.08.25 Page 1 CONTENTS Introduction..... 3 The HIPAA Security Rule... 4 The HIPAA Omnibus Rule... 6 HIPAA Compliance and EagleHeaps
More informationInsurance Considerations Related to Data Security and Breach in Outsourcing Agreements
Insurance Considerations Related to Data Security and Breach in Outsourcing Agreements Greater New York Chapter Association of Corporate Counsel November 19, 2015 Stephen D. Becker, Executive Vice President
More informationCorporate Incident Response. Why You Can t Afford to Ignore It
Corporate Incident Response Why You Can t Afford to Ignore It Whether your company needs to comply with new legislation, defend against financial loss, protect its corporate reputation or a combination
More informationHIPAA Compliance Review Analysis and Summary of Results
HIPAA Compliance Review Analysis and Summary of Results Centers for Medicare & Medicaid Services (CMS) Office of E-Health Standards and Services (OESS) Reviews 2008 Table of Contents Introduction 1 Risk
More informationA New (?) Perspective on Cyber Risk For the Retail and Food Sector Vince Crisler, Partner & Co-Founder
A New (?) Perspective on Cyber Risk For the Retail and Food Sector Vince Crisler, Partner & Co-Founder FMI Connect 2015, Chicago, IL Overview Cyber Threat & Risk The Good, Bad and Ugly Lessons Learned
More informationHIPAA 101. March 18, 2015 Webinar
HIPAA 101 March 18, 2015 Webinar Agenda Acronyms to Know HIPAA Basics What is HIPAA and to whom does it apply? What is protected by HIPAA? Privacy Rule Security Rule HITECH Basics Breaches and Responses
More informationSurviving a HIPAA Audit: What you need to know NOW So you can cope THEN. Jonathan Krasner www.beinetworks.com www.hipaasecurenow.
Surviving a HIPAA Audit: What you need to know NOW So you can cope THEN Jonathan Krasner www.beinetworks.com www.hipaasecurenow.com Healthcare IT Landscape Meaningful Use Incentives Technology Advances
More informationUnderstanding Professional Liability Insurance
Understanding Professional Liability Insurance Definition Professional liability is more commonly known as errors & omissions (E&O) and is a form of liability insurance that helps protect professional
More informationThe Future of Data Breach Risk Management Response and Recovery. The Cybersecurity Forum April 14, 2016
The Future of Data Breach Risk Management Response and Recovery Increasing electronic product life and reliability The Cybersecurity Forum April 14, 2016 Today s Topics About Merchants Information Solutions,
More informationHIPAA Omnibus Compliance How A Data Loss Prevention Solution Can Help
HIPAA Omnibus Compliance How A Data Loss Prevention Solution Can Help The Health Information Portability and Accountability Act (HIPAA) Omnibus Rule which will begin to be enforced September 23, 2013,
More informationDATA SECURITY: A CRUCIAL TOPIC FOR CORPORATE COUNSEL AND MANAGEMENT
Advisor Article DATA SECURITY: A CRUCIAL TOPIC FOR CORPORATE COUNSEL AND MANAGEMENT By James R. Carroll, David S. Clancy and Christopher G. Clark* Skadden, Arps, Slate, Meagher & Flom Customer data security
More informationTHE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS
THE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS Download the entire guide and follow the conversation at SecurityRoundtable.org Investment in cyber insurance Lockton Companies
More informationBusiness Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule
Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule Patricia D. King, Esq. Associate General Counsel Swedish Covenant Hospital Chicago, IL I. Business Associates under
More informationHCCA Compliance Institute 2013 Privacy & Security
HCCA Compliance Institute 2013 Privacy & Security 704 Conducting a Privacy Risk Assessment A Practical Guide to the Performance, Evaluation and Response April 23, 2013 Presented By Eric Dieterich Session
More information